Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery

Announcing STARTTLS Everywhere: Securing Hop-to-Hop Email Delivery

Today we’re announcing the launch of STARTTLS Everywhere, EFF’s initiative to improve the security of the email ecosystem.

Thanks to previous EFF efforts like Let's Encrypt, and Certbot, as well as help from the major web browsers, we've seen significantwins in encrypting the web. Now we want to do for email what we’ve done for web browsing: make it simple and easy for everyone to help ensure their communications aren’t vulnerable to mass surveillance.

Note that this is a high-level, general post about STARTTLS Everywhere. If you’d like a deeper dive intended for mailserver admins, with all the technical details and caveats, click here.

It’s important to note that STARTTLS Everywhere is designed to be run by mailserver admins, not regular users. No matter your role, you can join in the STARTTLS fun and find out how secure your current email provider is at:

Enter your email domain (the part of your email address after the “@” symbol), and we’ll check if your email provider has configured their server to use STARTTLS, whether or not they use a valid certificate, and whether or not they’re on the STARTTLS Preload List—all different indications of how secure (or vulnerable) your email provider is to mass surveillance.

Wait, Email Is Vulnerable to Mass Surveillance?

Email relies on something called the Simple Mail Transfer Protocol, or SMTP. SMTP is the technical language email servers use to communicate with each other. It was one of the very first application protocols developed for the Internet. It’s even older than HTTP, the protocol your browser uses to talk to webservers when you want to load a website!

Just like HTTP, SMTP was not developed with encryption or authentication in mind, as the trust model on the Internet today is starkly different from what it was in the 70s. Like regular old snail mail, senders can write whatever they want in the "From:" field, or even choose to omit it. And in the same way your post office or your postal carrier can read what you write on a postcard, machines responsible for delivering emails can read their contents, as can anyone who’s watching the traffic they send and receive. But unlike regular mail, the cost of sending emails, spoofing emails, collecting copies of emails, and altering emails in-transit is extremely low.

That means that without encryption, government agencies that perform mass surveillance, like the NSA, can easily sweep up and read everyone’s emails—no hacking or breaking encryption necessary.

So What Is STARTTLS?

STARTTLS is an addition to SMTP, which allows one email server to say to the other, “I want to deliver this email to you over an encrypted communications channel.” The recipient email server can then say “Sure! Let’s negotiate an encrypted communications channel.” The two servers then set up the channel and the email is delivered securely, so that anybody listening in on their traffic only sees encrypted data. In other words, network observers gobbling up worldwide information from Internet backbone access points (like the NSA or other governments) won't be able to see the contents of messages while they’re in transit, and will need to use more targeted, low-volume methods.

It’s important to note that if you don’t trust your mail provider and don’t want them to be able to read your emails, STARTTLS isn’t enough. That’s because STARTTLS only provides hop-to-hop encryption, not end-to-end. For example, if a Gmail user sends email to an EFF staffer, the operators of the Google and EFF mailservers can read and copy the contents of that email even if STARTTLS is negotiated perfectly. STARTTLS only encrypts the communications channel between the Google and EFF servers so that an outside party can’t see what the two say to each other—it doesn’t affect what the two servers themselves can see.

Thus, STARTTLS is not a replacement for secure end-to-end solutions. Instead, STARTTLS allows email service providers and administrators to provide a baseline measure of security against outside adversaries.

Great! So if STARTTLS Exists Everything’s Fine, Right?

Unfortunately, STARTTLS has some problems. Although many mailservers enable STARTTLS, most still do not validate certificates. Just like in HTTPS, certificates are what a server uses to prove it really is who it says it is. Without certificate validation, an active attacker on the network can get between two servers and impersonate one or both, allowing that attacker to read and even modify emails sent through your supposedly “secure” connection. Since it’s not common practice for emails servers to validate certificates, there’s often little incentive to present valid certificates in the first place.

As a result, the ecosystem is stuck in a sort of chicken-and-egg problem: no one validates certificates because the other party often doesn’t have a valid one, and the long tail of mailservers continue to use invalid certificates because no one is validating them anyway.

Additionally, even if you configure STARTTLS perfectly and use a valid certificate, there’s still no guarantee your communication will be encrypted. That’s because when a sending email server says, “I want to deliver this email to you over an encrypted communications channel,” that message is unencrypted. This means network attackers can jump in and block that part of the message, so that the recipient server never sees it. As a result, both servers think the other doesn’t support STARTTLS. This is known as a “downgrade attack,” and ISPs in the U.S. and abroad have been caught doing exactly this. In fact, in 2014 several researchers found that STARTTLS encryption on outbound email from several countries was being regularly stripped.

STARTTLS Everywhere to the Rescue!

STARTTLS Everywhere provides software that a sysadmin can run on an email server to automatically get a valid certificate from Let’s Encrypt. This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers. Finally, STARTTLS Everywhere includes a “preload list” of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. The net result: more secure email, and less mass surveillance.

If you appreciate the work we’ve done on STARTTLS Everywhere, you can also donate to EFF! Your contribution will help further the development of projects like STARTTLS Everywhere that help raise everyone’s level of security.

Related Updates

Thanks to the success of projects like Let’s Encrypt and recent UX changes in the browsers, most page-loads are now encrypted with TLS. But DNS, the system that looks up a site’s IP address when you type the site’s name into your browser, remains unprotected by encryption. Because...

EFF, ACLU, and Stanford cybersecurity scholar Riana Pfefferkorn filed a petition in November 2018 asking a California federal court to make public a ruling that apparently denied a request by the Justice Department to force Facebook to break the encryption of its Messenger application in order to facilitate...

EFF is back this year at Vegas Security Week, sometimes affectionately known as Hacker Summer Camp. Stop by our booths at BSides, Black Hat, and DEF CON to find out about the latest developments in protecting digital freedom, sign up for our action alerts and mailing list, and...

Last week, news broke of a large financial settlement for the massive 2017 Equifax data breach affecting 147 million Americans. While the direct compensation to those harmed and the fines paid are important, it’s equally important to evaluate how much this result is likely to create strong incentives to...

Certbot has a brand new website! Today we’ve launched a major update that will help Certbot’s users get started even more quickly and easily. Certbot is a free, open source software tool for enabling HTTPS on manually-administered websites, by automatically deploying Let’s Encrypt certificates. Since we introduced it in...

San Francisco—The Electronic Frontier Foundation, ACLU and Stanford cybersecurity scholar Riana Pfefferkorn asked a federal appeals court today to make public a ruling that reportedly forbade the Justice Department from forcing Facebook to break the encryption of a communications service for users.Media widely reported last fall that a...

This week the federal Government Accountability Office (GAO) issued an update to its 2016 report on the FBI’s use of face recognition. The takeaway, which they also shared during a Congressional House Oversight Committee hearing: the FBI now has access to 641 million photos—including driver’s license and...

Fresno – On Wednesday, May 22, at 9 am, the Electronic Frontier Foundation (EFF) will argue that criminal defendants have a right to review and evaluate the source code of forensic DNA analysis software programs used to create evidence against them. The case, California v. Johnson, is on appeal...